---
title: "Authentication"
description: "How to secure your API calls"
icon: "shield-halved"
---

## What's This About?

When your AI needs to access secure parts of your system (like user data or private APIs), it needs the right permissions. This guide shows you how to set that up.

## Two Ways to Add Authentication

### 1. From Your App (Dynamic Auth)

If you're using our widget in your app, you can pass authentication tokens directly:

```javascript
initAiCoPilot({
    // Other settings...
    headers: {
        // Add any auth headers you need
        "Authorization": "Bearer your-token-here",
        "API-Key": "your-api-key",
        // Add as many headers as you need
    }
});
```

This is great when:
- Your users need to be logged in
- Each user has their own permissions
- You're using JWT tokens or API keys

### 2. From Our Dashboard (Static Auth)

If you need to set up authentication that's the same for everyone:

<Steps>
  <Step title="Go to Settings">
    Open your copilot dashboard and find "Copilot Settings"
  </Step>
  
  <Step title="Find Headers Section">
    Scroll down to "Global variables/headers"
  </Step>
  
  <Step title="Add Your Headers">
    Add any authentication headers you need:
    - API keys
    - Access tokens
    - Custom headers
  </Step>
</Steps>

<video
    autoPlay
    muted
    loop
    playsInline
    className="w-full aspect-video"
    src="images/auth.mp4"
></video>

This is perfect when:
- You're using the AI on a public website
- You don't want to expose tokens in your frontend code
- You need the same authentication for all users
- You're testing things out

## Security & Storage

<Note>
**Important Security Information:**
- Headers passed through the widget (`initAiCoPilot`) are never stored in our system
- Only headers configured in the dashboard are stored, and these are encrypted in our database
- We follow industry-standard encryption practices to protect your sensitive data
</Note>

<CardGroup cols={2}>
  <Card title="Widget Headers" icon="shield-xmark">
    - Not stored anywhere
    - Used only during runtime
    - Perfect for user-specific tokens
  </Card>
  <Card title="Dashboard Headers" icon="shield-check">
    - Encrypted in our database
    - Safely stored and managed
    - Ideal for system-wide tokens
  </Card>
</CardGroup>

## Quick Tips

<CardGroup cols={2}>
  <Card title="Security First" icon="shield-check">
    Never put sensitive tokens in your frontend code if you can avoid it
  </Card>
  <Card title="Test It Out" icon="vial">
    Always test your authentication with a few API calls before going live
  </Card>
</CardGroup>

Need help? Join our [Slack community](https://slack.opencopilot.so) for support!